Malicious npm package uses typosquatting to infect legitimate GitHub repo

A malicious npm package named "@acitons/artifact" was observed typosquatting the legitimate "@actions/artifact" package with the intent of targeting GitHub-owned repositories.

In a Nov. 10 blog post, Veracode researchers said the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to build the environment, and ultimately use the tokens to publish new malicious artifacts under GitHub's identity.

Veracode said their Veracode Package Firewall customers were protected from downloading the malicious npm package as of Nov. 7, when Veracode researchers triaged it.

“This incident shows that there’s a clear need for proactive supply chain security,” said Boris Cipot, senior security engineer at Black Duck. “This would include automated dependency scanning to detect vulnerabilities and suspicious packages in real-time.”

Cipot added that to avoid typos, security teams can use services such as Socket.dev or Phylum to monitor for lookalike packages and suspicious behavior. For CI/CD environments, Cipot said it’s recommended to use short-lived, scoped tokens and rotate secrets regularly.

Randolph Barr, chief information security officer at Cequence Security, added that this incident isn’t just about a malicious npm package: it’s about the blind trust many organizations place in the modern software supply chain. Barr said the @acitons/artifact campaign demonstrates how attackers have shifted left, targeting the build process itself rather than production systems.

“Most organizations focus their controls on runtime environments, yet the CI/CD pipeline often runs with higher privilege than any developer,” said Barr. “A single typosquatted dependency can silently execute code during a build, access repository tokens, and impersonate an organization, just as this attack attempted to do with GitHub’s own repositories.”

Barr said security teams must lock down build tokens and strictly limit their privileges, enforce egress controls on build runners so that malicious scripts cannot “phone home,” require dependency signing and peer review of all new packages. They also need to treat build pipelines as production assets, with the same level of monitoring, logging, and anomaly detection.

“Ultimately, this is as much a governance and identity challenge as it is a technical one,” said Barr. “Every CISO should assume that their supply chain, especially CI/CD, is part of their attack surface and apply zero-trust principles accordingly. The lesson is simple: you can’t protect what you don’t verify, and in 2025, that includes every automated system that touches code.”

Michael Bell, CEO and founder of Suzu Inc., added that this was a targeted attack on GitHub itself and while technically sophisticated, it essentially relied on a simple typo. Bell pointed out that the attacker published "@acitons/artifact" — only missing the "t" in "actions" with malware that only executed in GitHub Actions workflows.

“The design appears to be a little clever," said Bell. "It checked for GITHUB_ environment variables before exfiltrating tokens, included a time-based kill switch, stopped after Nov. 6, 2025, suggesting a specific campaign window, and achieved more than 47,000 downloads with the goal of compromising GitHub's own repositories to publish malicious artifacts under GitHub's identity.”